From 129232f8779d15a78a9025fdc85aac4df8492b50 Mon Sep 17 00:00:00 2001 From: Matthew Watkins Date: Tue, 12 May 2026 14:06:52 +0100 Subject: [PATCH] CI(harden-runner): Add audit fallback for fork PR runs Both currently-open PRs to lfit/dependamerge are blocked because they were raised from forks, where the CONNECTION_WHITELIST repo/org variable is not exposed to the workflow. When the allowed-endpoints input to step-security/harden-runner is empty, block-mode egress refuses every outbound connection and CI jobs that need network access (uv installs, audit downloads, image fetches, etc.) fail before doing useful work. Replace each existing single harden-runner step with a conditional pair: - block-mode step gated on CONNECTION_WHITELIST != '' - audit-mode fallback step gated on CONNECTION_WHITELIST == '' GitHub evaluates both ifs independently and runs exactly one step. When the variable is present (push to main, internal branches) we keep the existing strict block-mode policy. When the variable is absent (fork PRs) we fall back to audit-only, which logs every egress destination without blocking it so the job still runs. The audit log is still attached to the run and remains available for review. Same step-security/harden-runner SHA pin (a5ad31d6a139d249332a2605b85202e8c0b78450, v2.19.1) preserved on every site. No other behavioural changes. Sites updated (20 total): * .github/workflows/autolabeler.yaml (1) * .github/workflows/build-test-release.yaml (11) * .github/workflows/build-test.yaml (7) * .github/workflows/release-drafter.yaml (1) actionlint and yamllint both clean for the modified files. Co-authored-by: Claude Signed-off-by: Matthew Watkins --- .github/workflows/autolabeler.yaml | 20 +- .github/workflows/build-test-release.yaml | 220 +++++++++++++++++++--- .github/workflows/build-test.yaml | 140 ++++++++++++-- .github/workflows/release-drafter.yaml | 20 +- 4 files changed, 360 insertions(+), 40 deletions(-) diff --git a/.github/workflows/autolabeler.yaml b/.github/workflows/autolabeler.yaml index 4c03977..d5c228e 100644 --- a/.github/workflows/autolabeler.yaml +++ b/.github/workflows/autolabeler.yaml @@ -50,12 +50,28 @@ jobs: timeout-minutes: 3 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: release-drafter/release-drafter/autolabeler@c2e2804cc59f45f57076a99af580d0fedb697927 # v7.3.0 diff --git a/.github/workflows/build-test-release.yaml b/.github/workflows/build-test-release.yaml index 56945db..4cbe908 100644 --- a/.github/workflows/build-test-release.yaml +++ b/.github/workflows/build-test-release.yaml @@ -27,13 +27,29 @@ jobs: pull-requests: read timeout-minutes: 5 steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -60,13 +76,29 @@ jobs: tag: "${{ steps.tag-validate.outputs.tag_name }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Checkout repository' # yamllint disable-line rule:line-length uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -128,13 +160,29 @@ jobs: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -159,13 +207,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -188,13 +252,29 @@ jobs: timeout-minutes: 10 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -214,13 +294,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -260,13 +356,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: "Download SBOM artefact" # yamllint disable-line rule:line-length uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -433,13 +545,29 @@ jobs: timeout-minutes: 5 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Test PyPI publishing' # yamllint disable-line rule:line-length uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23 # v0.1.6 @@ -462,13 +590,29 @@ jobs: timeout-minutes: 5 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'PyPI release' # yamllint disable-line rule:line-length uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23 # v0.1.6 @@ -501,13 +645,29 @@ jobs: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -541,13 +701,29 @@ jobs: release_url: "${{ steps.promote-release.outputs.release_url || steps.set-promoted-url.outputs.release_url }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 6e0c3fb..e572e8c 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -40,13 +40,29 @@ jobs: pull-requests: read timeout-minutes: 5 steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -76,13 +92,29 @@ jobs: env: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Clear Python dependency caches' env: REPO: "${{ github.repository }}" @@ -161,13 +193,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -190,13 +238,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -220,13 +284,29 @@ jobs: timeout-minutes: 10 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -247,13 +327,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -294,13 +390,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: "Download SBOM artefact" # yamllint disable-line rule:line-length uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index faddfc7..11a2bf9 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -26,12 +26,28 @@ jobs: timeout-minutes: 3 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7.3.0